There was an old version of JBoss web application, the application was vulnerable to authentication bypass, not to mention that I was able to authenticate with default username and password.

Risk: I was able to deploy my desired application on the server and to send system commands.

I’ve made an responsible disclosure on 17.03.2014.

They asked me 2 questions:

“Our development team is needing answers to the following questions:

1. Would upgrading our JBOSS version will fix the issue? If yes, what version is being recommended as there could be a case where we need to check inter compatibility between multiple software we have installed on the server.